security/sandbox/win/src/policy_target.cc@6474c204b198 (annotated)
security/sandbox/win/src/policy_target.cc
Wed, 31 Dec 2014 06:09:35 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:09:35 +0100
- changeset 0
- 6474c204b198
- permissions
- -rw-r--r--
Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.
| michael@0 | 1 | // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
| michael@0 | 2 | // Use of this source code is governed by a BSD-style license that can be |
| michael@0 | 3 | // found in the LICENSE file. |
| michael@0 | 4 | |
| michael@0 | 5 | #include "sandbox/win/src/policy_target.h" |
| michael@0 | 6 | |
| michael@0 | 7 | #include "sandbox/win/src/crosscall_client.h" |
| michael@0 | 8 | #include "sandbox/win/src/ipc_tags.h" |
| michael@0 | 9 | #include "sandbox/win/src/policy_engine_processor.h" |
| michael@0 | 10 | #include "sandbox/win/src/policy_low_level.h" |
| michael@0 | 11 | #include "sandbox/win/src/policy_params.h" |
| michael@0 | 12 | #include "sandbox/win/src/sandbox_factory.h" |
| michael@0 | 13 | #include "sandbox/win/src/sandbox_nt_util.h" |
| michael@0 | 14 | #include "sandbox/win/src/sharedmem_ipc_client.h" |
| michael@0 | 15 | #include "sandbox/win/src/target_services.h" |
| michael@0 | 16 | |
| michael@0 | 17 | namespace sandbox { |
| michael@0 | 18 | |
| michael@0 | 19 | // Handle for our private heap. |
| michael@0 | 20 | extern void* g_heap; |
| michael@0 | 21 | |
| michael@0 | 22 | // This is the list of all imported symbols from ntdll.dll. |
| michael@0 | 23 | SANDBOX_INTERCEPT NtExports g_nt; |
| michael@0 | 24 | |
| michael@0 | 25 | // Policy data. |
| michael@0 | 26 | extern void* volatile g_shared_policy_memory; |
| michael@0 | 27 | SANDBOX_INTERCEPT size_t g_shared_policy_size; |
| michael@0 | 28 | |
| michael@0 | 29 | bool QueryBroker(int ipc_id, CountedParameterSetBase* params) { |
| michael@0 | 30 | DCHECK_NT(static_cast<size_t>(ipc_id) < kMaxServiceCount); |
| michael@0 | 31 | DCHECK_NT(g_shared_policy_memory); |
| michael@0 | 32 | DCHECK_NT(g_shared_policy_size > 0); |
| michael@0 | 33 | |
| michael@0 | 34 | if (static_cast<size_t>(ipc_id) >= kMaxServiceCount) |
| michael@0 | 35 | return false; |
| michael@0 | 36 | |
| michael@0 | 37 | PolicyGlobal* global_policy = |
| michael@0 | 38 | reinterpret_cast<PolicyGlobal*>(g_shared_policy_memory); |
| michael@0 | 39 | |
| michael@0 | 40 | if (!global_policy->entry[ipc_id]) |
| michael@0 | 41 | return false; |
| michael@0 | 42 | |
| michael@0 | 43 | PolicyBuffer* policy = reinterpret_cast<PolicyBuffer*>( |
| michael@0 | 44 | reinterpret_cast<char*>(g_shared_policy_memory) + |
| michael@0 | 45 | reinterpret_cast<size_t>(global_policy->entry[ipc_id])); |
| michael@0 | 46 | |
| michael@0 | 47 | if ((reinterpret_cast<size_t>(global_policy->entry[ipc_id]) > |
| michael@0 | 48 | global_policy->data_size) || |
| michael@0 | 49 | (g_shared_policy_size < global_policy->data_size)) { |
| michael@0 | 50 | NOTREACHED_NT(); |
| michael@0 | 51 | return false; |
| michael@0 | 52 | } |
| michael@0 | 53 | |
| michael@0 | 54 | for (int i = 0; i < params->count; i++) { |
| michael@0 | 55 | if (!params->parameters[i].IsValid()) { |
| michael@0 | 56 | NOTREACHED_NT(); |
| michael@0 | 57 | return false; |
| michael@0 | 58 | } |
| michael@0 | 59 | } |
| michael@0 | 60 | |
| michael@0 | 61 | PolicyProcessor processor(policy); |
| michael@0 | 62 | PolicyResult result = processor.Evaluate(kShortEval, params->parameters, |
| michael@0 | 63 | params->count); |
| michael@0 | 64 | DCHECK_NT(POLICY_ERROR != result); |
| michael@0 | 65 | |
| michael@0 | 66 | return POLICY_MATCH == result && ASK_BROKER == processor.GetAction(); |
| michael@0 | 67 | } |
| michael@0 | 68 | |
| michael@0 | 69 | // ----------------------------------------------------------------------- |
| michael@0 | 70 | |
| michael@0 | 71 | // Hooks NtSetInformationThread to block RevertToSelf from being |
| michael@0 | 72 | // called before the actual call to LowerToken. |
| michael@0 | 73 | NTSTATUS WINAPI TargetNtSetInformationThread( |
| michael@0 | 74 | NtSetInformationThreadFunction orig_SetInformationThread, HANDLE thread, |
| michael@0 | 75 | NT_THREAD_INFORMATION_CLASS thread_info_class, PVOID thread_information, |
| michael@0 | 76 | ULONG thread_information_bytes) { |
| michael@0 | 77 | do { |
| michael@0 | 78 | if (SandboxFactory::GetTargetServices()->GetState()->RevertedToSelf()) |
| michael@0 | 79 | break; |
| michael@0 | 80 | if (ThreadImpersonationToken != thread_info_class) |
| michael@0 | 81 | break; |
| michael@0 | 82 | if (!thread_information) |
| michael@0 | 83 | break; |
| michael@0 | 84 | HANDLE token; |
| michael@0 | 85 | if (sizeof(token) > thread_information_bytes) |
| michael@0 | 86 | break; |
| michael@0 | 87 | |
| michael@0 | 88 | NTSTATUS ret = CopyData(&token, thread_information, sizeof(token)); |
| michael@0 | 89 | if (!NT_SUCCESS(ret) || NULL != token) |
| michael@0 | 90 | break; |
| michael@0 | 91 | |
| michael@0 | 92 | // This is a revert to self. |
| michael@0 | 93 | return STATUS_SUCCESS; |
| michael@0 | 94 | } while (false); |
| michael@0 | 95 | |
| michael@0 | 96 | return orig_SetInformationThread(thread, thread_info_class, |
| michael@0 | 97 | thread_information, |
| michael@0 | 98 | thread_information_bytes); |
| michael@0 | 99 | } |
| michael@0 | 100 | |
| michael@0 | 101 | // Hooks NtOpenThreadToken to force the open_as_self parameter to be set to |
| michael@0 | 102 | // FALSE if we are still running with the impersonation token. open_as_self set |
| michael@0 | 103 | // to TRUE means that the token will be open using the process token instead of |
| michael@0 | 104 | // the impersonation token. This is bad because the process token does not have |
| michael@0 | 105 | // access to open the thread token. |
| michael@0 | 106 | NTSTATUS WINAPI TargetNtOpenThreadToken( |
| michael@0 | 107 | NtOpenThreadTokenFunction orig_OpenThreadToken, HANDLE thread, |
| michael@0 | 108 | ACCESS_MASK desired_access, BOOLEAN open_as_self, PHANDLE token) { |
| michael@0 | 109 | if (!SandboxFactory::GetTargetServices()->GetState()->RevertedToSelf()) |
| michael@0 | 110 | open_as_self = FALSE; |
| michael@0 | 111 | |
| michael@0 | 112 | return orig_OpenThreadToken(thread, desired_access, open_as_self, token); |
| michael@0 | 113 | } |
| michael@0 | 114 | |
| michael@0 | 115 | // See comment for TargetNtOpenThreadToken |
| michael@0 | 116 | NTSTATUS WINAPI TargetNtOpenThreadTokenEx( |
| michael@0 | 117 | NtOpenThreadTokenExFunction orig_OpenThreadTokenEx, HANDLE thread, |
| michael@0 | 118 | ACCESS_MASK desired_access, BOOLEAN open_as_self, ULONG handle_attributes, |
| michael@0 | 119 | PHANDLE token) { |
| michael@0 | 120 | if (!SandboxFactory::GetTargetServices()->GetState()->RevertedToSelf()) |
| michael@0 | 121 | open_as_self = FALSE; |
| michael@0 | 122 | |
| michael@0 | 123 | return orig_OpenThreadTokenEx(thread, desired_access, open_as_self, |
| michael@0 | 124 | handle_attributes, token); |
| michael@0 | 125 | } |
| michael@0 | 126 | |
| michael@0 | 127 | } // namespace sandbox |
